9. Styx seen with Wireshark

landing pane

redirect to plugin detect

exe download

10. Detection

Looks like the signature proposals over @malwaresigs are pretty good. But a slight change was seen to what @kafeine reported on 1 static links in the pdfx.html file:
jovf.html - changed from ie78xp.hmtl

add jovf.html to detect the change or add jovf.html and fnts.html.

11. Epilogue

That went well. We made it to the underworld and back with most of the goods we headed out to steal.

Lots of fun stuff for further processing here. Most seem old though. I might try to up my skills on some PDF analysis and more JAR analysis some other day.

Always good to have something waiting in case one get bored one day and/or want to learn some more...